Course

In this course, we explore the exploitation of vulnerabilities in applications that use JSON Web Encryption (JWE) for authentication. JWE tokens encrypt information using two keys: a Content Encryption Key (CEK) and a public key. The integrity of the data is protected by the CEK, making it difficult for an attacker to tamper with the data without this key. However, the availability of the public key to users introduces a significant security flaw.

Through a series of practical steps, you will learn how to create your own JWE token using the public key provided by the application. This course demonstrates that even with encrypted values and data integrity mechanisms, it is possible to forge tokens and gain unauthorized access. By the end of the course, you will understand the design issues of JWE and how to exploit them to achieve administrative access in a vulnerable application.